System Service: Allow Admins to Impersonate User for Recovery

I'm working with a suite which allows users to work with encrypted
data. The data is encrypted under a key which is encrypted with DPAPI
(ie, tied to a user's account). So the user calls CryptUnprotectData
to retrieve their bulk encryption key, and then performs bulk
encryption using that key.

The software needs to allow an administrator to recover the encrypted
data. I believe that means an administrator needs to be able to call
CryptUnprotectData under a user's context to recover the key.

Is there an API call which allows a System Service to impersonate a
user *without* the user's password? Or do I need to look to other
functions/methods for the recovery effort?